Return-Path: <commits-return-2125-archive-asf-public=cust-asf.ponee.io@guacamole.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 879C1200BF6
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue,  6 Dec 2016 05:44:29 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 86402160B21; Tue,  6 Dec 2016 04:44:29 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id AF9F7160B18
	for <archive-asf-public@cust-asf.ponee.io>; Tue,  6 Dec 2016 05:44:28 +0100 (CET)
Received: (qmail 91062 invoked by uid 500); 6 Dec 2016 04:44:27 -0000
Mailing-List: contact commits-help@guacamole.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@guacamole.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@guacamole.incubator.apache.org>
List-Post: <mailto:commits@guacamole.incubator.apache.org>
List-Id: <commits.guacamole.incubator.apache.org>
Reply-To: dev@guacamole.incubator.apache.org
Delivered-To: mailing list commits@guacamole.incubator.apache.org
Received: (qmail 91049 invoked by uid 99); 6 Dec 2016 04:44:27 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Dec 2016 04:44:27 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 633901A06F7
	for <commits@guacamole.apache.org>; Tue,  6 Dec 2016 04:44:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -6.219
X-Spam-Level: 
X-Spam-Status: No, score=-6.219 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-2.999] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id dmRYvXtTpdRt for <commits@guacamole.apache.org>;
	Tue,  6 Dec 2016 04:44:25 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 77D355FC61
	for <commits@guacamole.incubator.apache.org>; Tue,  6 Dec 2016 04:44:24 +0000 (UTC)
Received: (qmail 91016 invoked by uid 99); 6 Dec 2016 04:44:23 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Dec 2016 04:44:23 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 902B6E0C09; Tue,  6 Dec 2016 04:44:23 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: jmuehlner@apache.org
To: commits@guacamole.incubator.apache.org
Date: Tue, 06 Dec 2016 04:44:23 -0000
Message-Id: <3f93af9796a0471d9697cfd720ca735c@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [1/2] incubator-guacamole-client git commit: GUACAMOLE-136: Move
 password reset flow into own function. Invoke from getUserContext(),
 not authenticateUser(),
 such that secondary authentication factors have a chance to invalidate the
 auth attempt prior to
archived-at: Tue, 06 Dec 2016 04:44:29 -0000

Repository: incubator-guacamole-client
Updated Branches:
  refs/heads/master 32e5c3e68 -> 18565d171


GUACAMOLE-136: Move password reset flow into own function. Invoke from getUserContext(), not authenticateUser(), such that secondary authentication factors have a chance to invalidate the auth attempt prior to password reset.


Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/4a1ffbfd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/4a1ffbfd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/4a1ffbfd

Branch: refs/heads/master
Commit: 4a1ffbfdccd0d42e44a164bdbd89176fe1a098ef
Parents: 32e5c3e
Author: Michael Jumper <mjumper@apache.org>
Authored: Sat Dec 3 13:39:42 2016 -0800
Committer: Michael Jumper <mjumper@apache.org>
Committed: Mon Dec 5 20:13:59 2016 -0800

----------------------------------------------------------------------
 .../jdbc/JDBCAuthenticationProviderService.java |  6 ++
 .../guacamole/auth/jdbc/user/UserService.java   | 90 ++++++++++++--------
 2 files changed, 62 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
index 8f98c74..a0d422a 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java
@@ -25,6 +25,7 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.jdbc.sharing.user.SharedAuthenticatedUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUser;
 import org.apache.guacamole.auth.jdbc.user.ModeledUserContext;
+import org.apache.guacamole.auth.jdbc.user.UserModel;
 import org.apache.guacamole.auth.jdbc.user.UserService;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.AuthenticationProvider;
@@ -98,6 +99,11 @@ public class JDBCAuthenticationProviderService implements AuthenticationProvider
 
         }
 
+        // Update password if password is expired
+        UserModel userModel = user.getModel();
+        if (userModel.isExpired())
+            userService.resetExpiredPassword(user, authenticatedUser.getCredentials());
+
         // Link to user context
         ModeledUserContext context = userContextProvider.get();
         context.init(user.getCurrentUser());

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4a1ffbfd/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
index 16f25b5..c83d6cb 100644
--- a/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
+++ b/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/user/UserService.java
@@ -319,40 +319,6 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
         if (!user.isAccountAccessible())
             throw new GuacamoleClientException("LOGIN.ERROR_NOT_ACCESSIBLE");
 
-        // Update password if password is expired
-        if (userModel.isExpired()) {
-
-            // Pull new password from HTTP request
-            HttpServletRequest request = credentials.getRequest();
-            String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
-            String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
-
-            // Require new password if account is expired
-            if (newPassword == null || confirmNewPassword == null) {
-                logger.info("The password of user \"{}\" has expired and must be reset.", username);
-                throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
-            }
-
-            // New password must be different from old password
-            if (newPassword.equals(credentials.getPassword()))
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
-
-            // New password must not be blank
-            if (newPassword.isEmpty())
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
-
-            // Confirm that the password was entered correctly twice
-            if (!newPassword.equals(confirmNewPassword))
-                throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
-
-            // Change password and reset expiration flag
-            userModel.setExpired(false);
-            user.setPassword(newPassword);
-            userMapper.update(userModel);
-            logger.info("Expired password of user \"{}\" has been reset.", username);
-
-        }
-
         // Return now-authenticated user
         return user.getCurrentUser();
 
@@ -398,4 +364,60 @@ public class UserService extends ModeledDirectoryObjectService<ModeledUser, User
 
     }
 
+    /**
+     * Resets the password of the given user to the new password specified via
+     * the "new-password" and "confirm-new-password" parameters from the
+     * provided credentials. If these parameters are missing or invalid,
+     * additional credentials will be requested.
+     *
+     * @param user
+     *     The user whose password should be reset.
+     *
+     * @param credentials
+     *     The credentials from which the parameters required for password
+     *     reset should be retrieved.
+     *
+     * @throws GuacamoleException
+     *     If the password reset parameters within the given credentials are
+     *     invalid or missing.
+     */
+    public void resetExpiredPassword(ModeledUser user, Credentials credentials)
+            throws GuacamoleException {
+
+        UserModel userModel = user.getModel();
+
+        // Get username
+        String username = user.getIdentifier();
+
+        // Pull new password from HTTP request
+        HttpServletRequest request = credentials.getRequest();
+        String newPassword = request.getParameter(NEW_PASSWORD_PARAMETER);
+        String confirmNewPassword = request.getParameter(CONFIRM_NEW_PASSWORD_PARAMETER);
+
+        // Require new password if account is expired
+        if (newPassword == null || confirmNewPassword == null) {
+            logger.info("The password of user \"{}\" has expired and must be reset.", username);
+            throw new GuacamoleInsufficientCredentialsException("LOGIN.INFO_PASSWORD_EXPIRED", EXPIRED_PASSWORD);
+        }
+
+        // New password must be different from old password
+        if (newPassword.equals(credentials.getPassword()))
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_SAME");
+
+        // New password must not be blank
+        if (newPassword.isEmpty())
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_BLANK");
+
+        // Confirm that the password was entered correctly twice
+        if (!newPassword.equals(confirmNewPassword))
+            throw new GuacamoleClientException("LOGIN.ERROR_PASSWORD_MISMATCH");
+
+        // Change password and reset expiration flag
+        userModel.setExpired(false);
+        user.setPassword(newPassword);
+        userMapper.update(userModel);
+        logger.info("Expired password of user \"{}\" has been reset.", username);
+
+    }
+
 }